A @RequestMapping method handles all matching requests by default. That means that a method you intended only to be POST-ed to could also be called by a GET, thereby allowing hackers to call the method inappropriately. For example a "transferFunds" method might be invoked like so: <img src="http://bank.com/actions/transferFunds?reciepientRouting=000000&receipientAccount=11111111&amount=200.00" width="1" height="1"/>

For that reason, you should always explicitly list the single HTTP method with which you expect your @RequestMapping Java method to be called. This rule raises an issue when method is missing and when the method parameter is configured with more than one verb. Mixing GET and POST verbs can lead to information leakage. It's easier to setup Spring Security’s CSRF protection when there is only one verb per @RequestMapping.

Noncompliant Code Example

@RequestMapping("/greet")  // Noncompliant
public String greet(String greetee) {
}

@RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.POST}) // Noncompliant
String delete(@RequestParam("id") String id) {
  return "Hello from delete";
}

Compliant Solution

  @RequestMapping("/greet", method = GET)
  public String greet(String greetee) {
  }

  @RequestMapping(path = "/delete", method = RequestMethod.GET)
  String delete(@RequestParam("id") String id) {
   return "Hello from delete";
  }

See